Deakin University
Browse

File(s) under permanent embargo

Defending against flow table overloading attack in software-defined networks

journal contribution
posted on 2019-01-01, 00:00 authored by B Yuan, D Zou, Shui Yu, H Jin, W Qiang, J Shen
© 2008-2012 IEEE. The Software-Defined Network (SDN) is a new and promising network architecture. At the same time, SDN will surely become a new target of cyber attackers. In this paper, we point out one critical vulnerability in SDNs, the size of flow table, which is most likely to be attacked. Due to the expensive and power-hungry features of Ternary Content Addressable Memory (TCAM), a flow table usually has a limited size, which can be easily disabled by a flow table overloading attack (a transformed DDoS attack). To provide a security service in SDN, we proposed a QoS-aware mitigation strategy, namely, peer support strategy, which integrates the available idle flow table resource of the whole SDN system to mitigate such an attack on a single switch of the system. We established a practical mathematical model to represent the studied system, and conducted a thorough analysis for the system in various circumstances. Based on our analysis, we found that the proposed strategy can effectively defeat the flow table overloading attacks. Extensive simulations and testbed-based experiments solidly support our claims. Moreover, our work also shed light on the implementation of SDN networks against possible brute-force attacks.

History

Journal

IEEE transactions on services computing

Volume

12

Issue

2

Pagination

231 - 246

Publisher

IEEE

Location

Piscataway, N.J.

eISSN

1939-1374

Language

eng

Publication classification

C1 Refereed article in a scholarly journal

Copyright notice

2019, IEEE